Add support for ECDSA and Ed25519 algorithms, make key size configurable #404
Conversation
|
Hi @matthewpi. Thanks for your PR. I'm waiting for a cert-manager member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
bump |
|
@reyvonger i think you tagged the wrong account for him |
|
/ok-to-test |
pkg/apis/validation/validation.go
Outdated
| if encoding != string(cmapi.PKCS1) && encoding != string(cmapi.PKCS8) { | ||
| return field.ErrorList{field.NotSupported(encodingPath, encoding, []string{string(cmapi.PKCS1), string(cmapi.PKCS8)})} | ||
| } |
There was a problem hiding this comment.
suggestion: Because this check is before the check on "alg" below, the error I get if I use a "wrong" key algorithm is really confusing.
I tested with this pod:
apiVersion: v1
kind: Pod
metadata:
name: my-csi-app
namespace: sandbox
labels:
app: my-csi-app
spec:
containers:
- name: my-frontend
image: busybox
volumeMounts:
- mountPath: "/tls"
name: tls
command: [ "sleep", "1000000" ]
volumes:
- name: tls
csi:
driver: csi.cert-manager.io
readOnly: true
volumeAttributes:
csi.cert-manager.io/issuer-name: intermediate-ca-issuer-2
csi.cert-manager.io/issuer-kind: Issuer
csi.cert-manager.io/dns-names: ${POD_NAME}.${POD_NAMESPACE}.svc.cluster.local
csi.cert-manager.io/key-algorithm: ecdsaand I got:
Warning FailedMount 2s (x4 over 5s) kubelet MountVolume.SetUp failed for volume "tls" : rpc error: code = Unknown desc = generating private key: volumeAttributes.csi.cert-manager.io/key-encoding: Unsupported value: "": supported values: "PKCS1", "PKCS8"
The error is actually the invalid key algorithm - if I use "ECDSA" the encoding is defaulted for me.
What do you think to moving this encoding check below the check on alg?
There was a problem hiding this comment.
Yeah, I'll move the encoding check below the alg check.
| return field.ErrorList{field.NotSupported(encodingPath, encoding, []string{string(cmapi.PKCS1), string(cmapi.PKCS8)})} | ||
| } | ||
|
|
||
| switch alg { |
There was a problem hiding this comment.
suggestion: Sort of related to my other comment - I think checking for exactly the cmapi.*KeyAlgorithm string is a bit strict and the UX isn't great. If I write csi.cert-manager.io/key-algorithm: ecdsa I kinda want that to work - it's not ambiguous, it's just the wrong casing.
Can we using strings.ToUpper on alg when making these comparisons, so that users don't have to remember the correct case to use when writing YAML?
There was a problem hiding this comment.
Should I also do something similar for encoding as well? So pkcs1 and pkcs8 are also supported?
There was a problem hiding this comment.
Instead of converting the case or doing case-insensitive comparisons everywhere, I normalize the user-provided values when we set the defaults so we can use the constants everywhere in the code-base.
There was a problem hiding this comment.
I really like your approach, yeah. Much better, thanks 😁
Signed-off-by: Matthew Penner <[email protected]>
375bf96 to
7e5f27f
Compare
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: SgtCoDFish The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
Hey, quick update on the release: I think I'm going to hold off until next week. There's an issue unrelated to this PR which we've discovered in csi-lib (a dependency of csi-driver) and if we make a change to csi-lib I'd like it to be included in csi-driver. I'm off work until next Monday, so I'll revisit then. Sorry for the delay! |
|
Another update: sorry again about the delay. I was waiting for investigation on the other bug I mentioned, but I don't think it'll happen really soon. I'll try and release on Monday 👍 |
|
This was released in the latest csi-driver release! Thank you for your work on this |
Adds the ability to specify the key algorithm (
csi.cert-manager.io/key-algorithm) and size (csi.cert-manager.io/key-size).Algorithms:
RSA(2048 <-> 8192)csi.cert-manager.io/key-algorithm: "RSA"csi.cert-manager.io/key-size: "2048"(default if unset)csi.cert-manager.io/key-encoding: "PKCS1"(default if unset)ECDSA(256, 384, 521)csi.cert-manager.io/key-algorithm: "ECDSA"csi.cert-manager.io/key-size: "256"(default if unset)csi.cert-manager.io/key-encoding: "PKCS8"(default if unset)Ed25519csi.cert-manager.io/key-algorithm: "Ed25519"csi.cert-manager.io/key-size: ""(default if unset. Users MAY NOT set a size as Ed25519 doesn't have a configurable size)csi.cert-manager.io/key-encoding: "PKCS8"(default if unset)Closes #371